AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Introduction to the new SysJoker threat

In-depth analysis reveals evolutions and risks of SysJoker cross-platform malware

A new version of the SysJoker malware has been discovered. It now uses the Rust language to avoid detection and may be linked to hackers associated with Hamas, according to Check Point.

This pill is also available in Italian language

An advanced version of the SysJoker malware, known for its ability to infiltrate operating systems as diverse as Windows, Linux and macOS, was recently discovered. This cyber threat, which previously evaded antivirus detection systems, has been redefined by adopting the Rust programming language, known for its security and performance. SysJoker's salient feature is its payload running entirely in memory and its ability to maintain a low profile through the use of native operating system commands.

Links between the new SysJoker and previous attacks

Cyber security researchers at Check Point, analyzing the new SysJoker variant, found similarities with "Operation Electric Powder", a series of cyberattacks that began in 2016 against Israeli targets, allegedly orchestrated by a Hamas-linked group known as "Gaza Cybergang". SysJoker's move to the Rust language was first identified on October 12, 2023, amid growing tension between Israel and Hamas, suggesting a potential escalation of cyber-offensive tactics.

Features and operations of the Rust variant of SysJoker

The new SysJoker variant stands out for its use of random wait intervals and its custom encryption that makes code analysis and detection more difficult. Since its launch, the malware integrates itself into the system to ensure persistence through changes in the system registry and uses PowerShell. Subsequent iterations serve to establish communication with the command and control server (C2), whose address is retrieved via a OneDrive URL. SysJoker's primary purpose is to load additional payloads onto the compromised system, driven by JSON-encoded commands.

Possible links to Gaza Cybergang and associated risks

While this SysJoker variant shows differences, most notably a lack of the command execution capability present in previous versions, Check Point researchers have identified a possible link to the "Gaza Cybergang" through the use of the "StdRegProv" WMI class in PowerShell commands for persistence. This technique has been found to be consistent with past attacks, particularly against the Israel Electric Company. Despite this, the definitive attribution of SysJoker to the 'Gaza Cybergang' cannot be confirmed with certainty based on currently available data.

Follow us on Twitter for more pills like this

11/27/2023 16:57

Marco Verro

Last pills

Zero-day threat on Android devices: Samsung prepares a crucial updateFind out how Samsung is addressing critical Android vulnerabilities and protecting Galaxy devices from cyber threats

CrowdStrike: how a security update crippled the tech worldGlobal impact of a security update on banking, transportation and cloud services: what happened and how the crisis is being addressed

Checkmate the criminal networks: the Interpol operation that reveals the invisibleFind out how Operation Interpol exposed digital fraudsters and traffickers through extraordinary global collaboration, seizing luxury goods and false documents

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report